Microsoft unveils a new credential phishing campaign that leverages an open redirect mechanism to evade security systems. Microsoft has published a long list of phishing domains actively used in this new credential phishing campaign. This list shows that how much the adversaries have invested in this phishing campaign. How extensive would the credential phishing campaign be? Let’s see the listed domains which are part of the credential phishing campaign.
Phishing is one of the most prevalent and effective social engineering techniques, growing these days. There are two main motives behind phishing attacks: harvest credentials and ship malware to the victim’s machine, leading to further attacks. In this phishing campaign, attackers used an extremely prevalent way ‘open redirect links’ to effectively bypass the security system to deliver the phishing emails to the victim’s inbox.
What Is An Open Redirect Vulnerability?
Open redirect link refers to a case in which a web application accepts a user-controlled input that could cause the web application to redirect the request to a URL. However, suppose an attacker replaces the URL input with a malicious site to redirect the request to a malicious URL to steal user credentials. In that case, it is called open redirect vulnerability.
This image is an example of an open redirect vulnerability. Here, the attacker used a domain-generation algorithm (DGA) domain (c-hi[.]xyz) in the parameter of the trusted domain. When a user hovers his mouse on this URL, he believes that this is a trusted URL. However, when he clicks on the link, it takes the user to the malicious domain in the parameter.
Why Do Attackers Use Open Redirect Vulnerabilities To Run Credential Phishing Campaign?
It is pretty common to see open redirect links among organizations for various reasons. Companies’ sales and marketing representatives use open redirect links in their emails to lead their clients or customers to the desired landing page as a business strategy to increase sales, user experience, and productivity. However, threat actors abuse this feature to link to a URL from a trusted domain and embed the malicious URL as a parameter.
Such open redirect vulnerabilities help attackers evade the organizations’ security systems and deliver the email to the victim’s inbox. For example, When a malicious URL is set as a parameter for a legitimate URL, traditional security solutions may pass through such requests because the security solutions might have been trained to identify only the primary URL. The security system may fail to check the malicious parameters embedded.
How Does This New Credential Phishing Attacks Work?
- Attackers send phishing emails: The campaign starts with sending emails to the victims. The report says that Attackers followed a pattern in the email content across the drive.
- The content of the email will be inside a box.
- The email will have a large button with an open redirect link that takes the victims to the credential harvesting phishing page.
- The subject of the email will most likely be created with the recipient’s domain and a timestamp.
- Users are tricked into clicking on the open redirect link: when users hover their mouse cursor over the button, they will see the complete URL that looks legitimate as attackers crafted the open redirect links using a legitimate service. The fact is a malicious phishing URL has been embedded in the parameter of the open redirect link.
- Phishing page verifies reCAPTCHA verification: When users clicked on the crafted open redirect links, users will be redirected to the attacker’s phishing site. These phishing sites used Google reCAPTCHA services to evade email security systems.
- Users will see a fake login page to enter the credentials: After users complete the reCAPTCHA verification, users will see a fake login page that impersonates the original site. The site is prepopulated with the victim’s email address to make the site look more legitimate. Adversaries can also use this strategy to bypass the Single Signe On (SSO) authentication either.
- Credentials get compromised: If users enter their credentials on the phishing URL, the page throws an error saying the page is timed out or the password was incorrect. This is to make the user enter the credentials twice to confirm the credentials. Upon entering the credentials for a second time, the page directs to the legitimate Sophos website, which says the message has been released. Once your credentials are harvested, attackers can use your credentials to carry out more attacks.
See Also Top Strategies for Effective Vendor Risk Management Programs
How To Prevent Credential Phishing Attacks And Open Redirect Vulnerability?
The best ways to prevent being a victim of phishing campaign are:
- Educate yourselves: The first level of protection would be learning about phishing techniques. Please be aware of the phishing techniques, don’t be the scape sheep of the campaign.
- Use anti-phishing toolbars and security solutions: We recommend buying a good anti-phishing solution. The simple and easiest way is to use anti-phishing toolbars on the browser.
- Don’t click on the links shared from untrusted sources. Examine the grammar of the email you received and the spelling of the URL before you click on it. Report about the phishing emails or links to your anti-phishing solutions if possible.
- Don’t open the attachments if you received them from an unknown source. Verify the email header from the tools like MXToolBox.
- Use good security tools like antivirus solutions, network intrusion detection, firewalls, URL filtering tools, spam filters, and adblockers to protect from many types of phishing attacks.
- Do regular password resets and use complex passwords.
- Enable MFA multi-factor authentication.
List Of Phishing Domains Which Are Part Of New Credential Phishing Campaign:
Patterns of Secondary redirected domains:
The secondary domains used in the parameter URLs most likely follow a specific domain-generation algorithm (DGA) pattern and use .xyz, .club, .shop, and .online TLDs.
- [letter]-[letter][letter].xyz
- [letter]-[letter][letter].club
Secondary Domains:
Some of the captured secondary domains in the crafted open redirect links in this credential phishing campaign are:
- c-tl[.]xyz
- a-cl[.]xyz
- j-on[.]xyz
- p-at[.]club
- i-at[.]club
- f-io[.]online
Sender Domains:
Adversaries used a wide range of domains to send emails, and the sender domains could be from any of these.
- Attacker-owned DGA domains
- Compromised legitimate domains
- Domains ending in .co.jp
- Free email domains
Patterns Of Sender Domains:
- [word or string of characters]-[word][number], incrementing by one, for example: masihtidur-shoes08[.]com
- [number][word or string of characters]-[number], incrementing by one, for example: 23moesian-17[.]com
- [word][word][number], incrementing by one, for example: notoficationdeliveryamazon10[.]com
- [word or letters][number]-[number], incrementing by one, for example: dak12shub-3[.]com
Secondary Domains:
Some of the captured primary domains that match the DGA patterns:
| masihtidur-shoes08[.]com | masihtidur-shoes07[.]com | masihtidur-shoes04[.]com | bas9oiw88remnisn-14[.]com |
| masihtidur-shoes02[.]com | masihtidur-shoes01[.]com | wixclwardwual-updates9[.]com | romanseyilefreaserty0824r-4[.]com |
| wixclwardwual-updates8[.]com | wixclwardwual-updates7[.]com | wixclwardwual-updates6[.]com | securemanageprodio-04[.]com |
| wixclwardwual-updates5[.]com | wixclwardwual-updates10[.]com | wixclwardwual-updates1[.]com | suppamz2-piryshj01-9[.]com |
| zxcsaxb-good8[.]com | zxcsaxb-good6[.]com | zxcsaxb-good5[.]com | solution23-servviue-7[.]com |
| zxcsaxb-good4[.]com | zxcsaxb-good3[.]com | zxcsaxb-good10[.]com | solution23-servviue-27[.]com |
| trashxn-euyr9[.]com | trashxn-euyr7[.]com | trashxn-euyr6[.]com | solution23-servviue-9[.]com |
| trashxn-euyr5[.]com | trashxn-euyr3[.]com | trashxn-euyr20[.]com | solution23-servviue-17[.]com |
| trashxn-euyr2[.]com | trashxn-euyr19[.]com | trashxn-euyr18[.]com | solution23-servviue-30[.]com |
| trashxn-euyr17[.]com | trashxn-euyr16[.]com | trashxn-euyr15[.]com | solution23-servviue-10[.]com |
| trashxn-euyr14[.]com | trashxn-euyr12[.]com | trashxn-euyr11[.]com | solution23-servviue-24[.]com |
| trashxn-euyr10[.]com | trashxn-euyr1[.]com | berangberang-9[.]com | service-account-7243[.]com |
| berangberang-7[.]com | berangberang-12[.]com | berangberang-6[.]com | service-account-374567[.]com |
| notoficationdeliveryamazon8[.]com | berangberang-8[.]com | berangberang-3[.]com | gxnhfghnjzh809[.]com |
| berangberang-4[.]com | berangberang-10[.]com | berangberang-11[.]com | accountservicealert003[.]com |
| berangberang-13[.]com | berangberang-5[.]com | 77support-update23-4[.]com | care887-yyrtconsumer23-23[.]com |
| posher876ffffff-30[.]com | posher876ffffff-5[.]com | posher876ffffff-25[.]com | care887-yyrtconsumer23-26[.]com |
| fenranutc0x24ai-11[.]com | organix-xtc21[.]com | fenranutc0x24ai-13[.]com | laser9078-ter10[.]com |
| fenranutc0x24ai-4[.]com | fenranutc0x24ai-17[.]com | fenranutc0x24ai-18[.]com | hayalanphezor-3sit[.]com |
| adminsecurity102[.]com | adminsecurity101[.]com | 23moesian-17[.]com | ressstauww-6279-3[.]com |
| 23moesian-10[.]com | 23moesian-11[.]com | 23moesian-26[.]com | ressstauww-6279-7[.]com |
| 23moesian-19[.]com | 23moesian-2[.]com | cokils2ptys-3[.]com | ketiak-muser14[.]com |
| cokils2ptys-1[.]com | 23moesian-20[.]com | 23moesian-15[.]com | spammer-comingson01[.]com |
| 23moesian-18[.]com | 23moesian-16[.]com | sux71a37-net19[.]com | spammer-comingson05[.]com |
| sux71a37-net1[.]com | sux71a37-net25[.]com | sux71a37-net14[.]com | posidma-posidjar03[.]com |
| sux71a37-net18[.]com | sux71a37-net15[.]com | sux71a37-net12[.]com | tembuslah-bandar01[.]com |
| sux71a37-net13[.]com | sux71a37-net20[.]com | sux71a37-net11[.]com | tembuslah-bandar04[.]com |
| sux71a37-net27[.]com | sux71a37-net2[.]com | sux71a37-net21[.]com | tembuslah-bandar07[.]com |
| bimspelitskalix-xuer9[.]com | account-info005[.]com | irformainsition0971a8-net16[.]com | tembuslah-bandar10[.]com |
| bas9oiw88remnisn-12[.]com | bas9oiw88remnisn-27[.]com | bas9oiw88remnisn-26[.]com | solution23-servviue-23[.]com |
| bas9oiw88remnisn-11[.]com | bas9oiw88remnisn-10[.]com | bas9oiw88remnisn-5[.]com | hayalanphezor-7sit[.]com |
| bas9oiw88remnisn-13[.]com | bas9oiw88remnisn-1[.]com | bas9oiw88remnisn-7[.]com | solution23-servviue-15[.]com |
| bas9oiw88remnisn-3[.]com | bas9oiw88remnisn-20[.]com | bas9oiw88remnisn-8[.]com | suppamz2-piryshj01-6[.]com |
| bas9oiw88remnisn-23[.]com | bas9oiw88remnisn-24[.]com | bas9oiw88remnisn-4[.]com | solution23-servviue-16[.]com |
| bas9oiw88remnisn-25[.]com | romanseyilefreaserty0824r-2[.]com | romanseyilefreaserty0824r-1[.]com | romanseyilefreaserty0824r-5[.]com |
| sux71a37-net26[.]com | sux71a37-net10[.]com | sux71a37-net17[.]com | solution23-servviue-19[.]com |
| maills-activitymove02[.]com | maills-activitymove04[.]com | solution23-servviue-26[.]com | solution23-servviue-18[.]com |
| maills-activitymove01[.]com | copris7-yearts-6[.]com | copris7-yearts-9[.]com | solution23-servviue-13[.]com |
| copris7-yearts-5[.]com | copris7-yearts-8[.]com | copris7-yearts-37[.]com | solution23-servviue-4[.]com |
| securityaccount102[.]com | copris7-yearts-4[.]com | copris7-yearts-40[.]com | solution23-servviue-5[.]com |
| copris7-yearts-7[.]com | copris7-yearts-38[.]com | copris7-yearts-39[.]com | service-account-735424[.]com |
| romanseyilefreaserty0824r-6[.]com | rick845ko-3[.]com | rick845ko-2[.]com | service-account-764246[.]com |
| rick845ko-10[.]com | fasttuamz587-4[.]com | winb2as-wwersd76-19[.]com | xcfhjxfyxnhnjzh10[.]com |
| winb2as-wwersd76-4[.]com | winb2as-wwersd76-6[.]com | org77supp-minty662-8[.]com | care887-yyrtconsumer23-24[.]com |
| winb2as-wwersd76-18[.]com | winb2as-wwersd76-1[.]com | winb2as-wwersd76-10[.]com | care887-yyrtconsumer23-27[.]com |
| org77supp-minty662-9[.]com | winb2as-wwersd76-12[.]com | winb2as-wwersd76-20[.]com | laser9078-ter11[.]com |
| account-info003[.]com | account-info012[.]com | account-info002[.]com | hayalanphezor-6sit[.]com |
| laser9078-ter17[.]com | account-info011[.]com | account-info007[.]com | romanseyilefreaserty0824r-3[.]com |
| notoficationdeliveryamazon1[.]com | notoficationdeliveryamazon20[.]com | notoficationdeliveryamazon7[.]com | ressstauww-6279-10[.]com |
| notoficationdeliveryamazon17[.]com | notoficationdeliveryamazon12[.]com | contackamazon1[.]com | ressstauww-6279-1[.]com |
| notoficationdeliveryamazon6[.]com | notoficationdeliveryamazon5[.]com | notoficationdeliveryamazon4[.]com | ketiak-muser13[.]com |
| notoficationdeliveryamazon18[.]com | notoficationdeliveryamazon13[.]com | notoficationdeliveryamazon3[.]com | spammer-comingson02[.]com |
| notoficationdeliveryamazon14[.]com | gaplerr-xt5[.]com | posher876ffffff-29[.]com | spammer-comingson07[.]com |
| kenatipurecehkali-xt3[.]com | kenatipurecehkali-xt13[.]com | kenatipurecehkali-xt4[.]com | posidma-posidjar05[.]com |
| kenatipurecehkali-xt12[.]com | kenatipurecehkali-xt5[.]com | wtbwts-junet1[.]com | tembuslah-bandar02[.]com |
| kenatipurecehkali-xt6[.]com | hayalanphezor-2sit[.]com | hayalanphezor-1sit[.]com | tembuslah-bandar05[.]com |
| noticesumartyas-sc24[.]com | noticesumartyas-sc13[.]com | noticesumartyas-sc2[.]com | tembuslah-bandar08[.]com |
| noticesumartyas-sc17[.]com | noticesumartyas-sc22[.]com | noticesumartyas-sc5[.]com | organix-xtc18[.]com |
| noticesumartyas-sc4[.]com | noticesumartyas-sc21[.]com | noticesumartyas-sc25[.]com | bimspelitskalix-xuer7[.]com |
| appgetbox3[.]com | notoficationdeliveryamazon19[.]com | notoficationdeliveryamazon10[.]com | solution23-servviue-1[.]com |
| appgetbox9[.]com | appgetbox8[.]com | appgetbox6[.]com | solution23-servviue-25[.]com |
| notoficationdeliveryamazon2[.]com | appgetbox7[.]com | appgetbox5[.]com | solution23-servviue-11[.]com |
| notoficationdeliveryamazon23[.]com | appgetbox10[.]com | notoficationdeliveryamazon16[.]com | cokils2ptys-6[.]com |
| hvgjgj-shoes08[.]com | hvgjgj-shoes13[.]com | jgkxjhx-shoes09[.]com | solution23-servviue-8[.]com |
| hvgjgj-shoes15[.]com | hvgjgj-shoes16[.]com | hvgjgj-shoes18[.]com | suppamz2-piryshj01-1[.]com |
| hvgjgj-shoes20[.]com | hvgjgj-shoes12[.]com | jgkxjhx-shoes02[.]com | solution23-servviue-12[.]com |
| hvgjgj-shoes10[.]com | jgkxjhx-shoes03[.]com | hvgjgj-shoes11[.]com | solution23-servviue-20[.]com |
| hvgjgj-shoes14[.]com | jgkxjhx-shoes05[.]com | jgkxjhx-shoes04[.]com | solution23-servviue-14[.]com |
| hvgjgj-shoes19[.]com | jgkxjhx-shoes08[.]com | hpk02h21yyts-6[.]com | service-account-8457845[.]com |
| romanseyilefreaserty0824r-7[.]com | gets25-amz[.]net | gets30-amz[.]net | service-account-762441[.]com |
| gets27-amz[.]net | gets28-amz[.]net | gets29-amz[.]net | accountservicealert002[.]com |
| gets32-amz[.]net | gets3-amz[.]net | gets31-amz[.]net | bas9oiw88remnisn-15[.]com |
| noticesumartyas-sc19[.]com | noticesumartyas-sc23[.]com | noticesumartyas-sc18[.]com | care887-yyrtconsumer23-25[.]com |
| noticesumartyas-sc15[.]com | noticesumartyas-sc20[.]com | noticesumartyas-sc16[.]com | bimspelitskalix-xuer6[.]com |
| noticesumartyas-sc29[.]com | rick845ko-1[.]com | bas9oiw88remnisn-9[.]com | hayalanphezor-4sit[.]com |
| rick845ko-5[.]com | bas9oiw88remnisn-21[.]com | bas9oiw88remnisn-2[.]com | solution23-servviue-6[.]com |
| bas9oiw88remnisn-19[.]com | rick845ko-6[.]com | bas9oiw88remnisn-22[.]com | sytesss-tas7[.]com |
| bas9oiw88remnisn-17[.]com | bas9oiw88remnisn-16[.]com | adminmabuk103[.]com | hvgjgj-shoes01[.]com |
| account-info008[.]com | suppamz2-piryshj01-3[.]com | dak12shub-1[.]com | ketiak-muser15[.]com |
| securemanageprodio-02[.]com | securemanageprodio-05[.]com | securemanageprodio-01[.]com | spammer-comingson04[.]com |
| dak12shub-3[.]com | dak12shub-9[.]com | dak12shub-8[.]com | posidma-posidjar01[.]com |
| dak12shub-6[.]com | dak12shub-10[.]com | dak12shub-4[.]com | posidma-posidjar06[.]com |
| securemanageprodio-03[.]com | org77supp-minty662-7[.]com | winb2as-wwersd76-7[.]com | tembuslah-bandar03[.]com |
| org77supp-minty662-10[.]com | bimspelitskalix-xuer2[.]com | gets34-amz[.]net | tembuslah-bandar06[.]com |
| gets35-amz[.]net | service-account-7254[.]com | service-account-76357[.]com | tembuslah-bandar09[.]com |
| service-account-7247[.]com | account-info004[.]com | service-account-5315[.]com |
Thanks for reading this post, which has the list of phishing domains actively used in this new credential phishing campaign and helps create awareness against credential phishing campaigns.
Related posts:
Microsoft Warns of the StrRAT Malware Campaign Targeting Windows Systems
What is Image Phishing? How Do QR-Codes Take Image Phishing (Qishing) to the Next Level?
AlienFox- New Credential Stealer Toolkit Targeting 18 Cloud Services
A New Javascript Injection Campaign on WordPress Websites Try Pushing RATs